NIST defines assurance as, “the grounds for confidence that the set of intended cybersecurity and data privacy controls in a system, application or service are effective in their application.”Since assurance is relative to a specific set of controls, defects in those controls affect the underlying confidence in the ability of those controls to operate as intended to produce the stated results. Assurance helps define:
The level of confidence that a stakeholder has that an objective is achieved, that takes into consideration the risks associated with non-conformity (e.g., non-compliance); and
The anticipated, necessary cost to demonstrate conformity with the specified controls.
A “secure system” is a system that ensures that only the authorized intended behaviors and outcomes occur, thereby providing freedom from those conditions, both intentionally/with malice and unintentionally/without malice, that can cause a loss of information assets with unacceptable consequences. This definition expresses an ideal that captures three essential aspects of what it means to achieve security:
Enable the delivery of the required system capability despite intentional and unintentional forms of adversity;
Enforce constraints to ensure that only the desired behaviors and outcomes associated with the required system capability are realized while satisfying the first aspect; and
Enforce constraints based on a set of rules to ensure that only authorized human-to-machine and machine-to-machine interactions and operations are allowed to occur while satisfying the second aspect.
For a system, adequate security is an evidence-based determination that achieves and optimizes security performance against all other performance objectives and constraints. Judgments of adequate security are driven by the stakeholder objectives, needs, and concerns associated with the system. Adequate security has two elements:
Achieve the minimum acceptable threshold of security performance; and
Maximize security performance to the extent that any additional increase in security performance results in a degradation of some other aspect of system performance or requires an unacceptable operational commitment.
Can You Honestly Answer HOW Data Privacy & Cybersecurity Are Implemented At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as how Security by Design (SbD) and Privacy by Design (PbD) principles are managed. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created program-level documentation to address your Information Assurance (IA) needs.
Proactively Managing Information Assurance (IA)
ComplianceForge currently offers four (4) product that are specifically designed to assist companies with proactively managing Information Assurance Operations:
Data Privacy Program (DPP) - Editable Privacy Program Template
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about what the DPP is to help answer common questions we receive.
What Is The...
NIST 800-171 System Security Plan (SSP)
Product Walkthrough Video
This short product walkthrough video is designed to give a brief overview about what the SSP is to help answer common questions we receive.
What Is The NIST 800-171 System...